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In the Claims: 

Please note the following current set of claims: 

1. (Currently Amended) A method for providing cryptographic capabilities to a plurality of 
network users over a decentralized public network, the method comprising: 

(a) receiving a request for an access permission security profile on behalf of a network user 
that gives the network user the ability to access one or more objects associated with a domain 
according to the network user's membership in one or more groups within the domain ; 

^-authenticating the request from the network user according to an n-factor authentication 
suitable to the plurality of network users and verifying membership in the domain and the one or 



more groups ; 

(e) creating the access permission security profile having an ephemeral crytpographic 
characterstic and derived from a combination of the user's membership in the one or more groups, 
wherein the combination of the user's membership in the one or more groups [to be used in 
forming] can be used to form a cryptographic key for enabling the network user to decrypt selected 
portions of an encrypted object when one or more groups associated with the encrypted object match 
the network user's membership in one or more groups within the domain and to encrypt selected 
portions of a plaintext object to be accessed by other network user's when the other network user's 
membership in one or more groups within the domain also match the one or more groups associated 
with the selected portions of the plaintext object being encrypted ; and 

(d) securely transmitting the access permission security profile to the network user over the 
network wherein the ephemeral cryptographic characteristic allows the network user in receipt of the 
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access permission security profile to perform cryptographic operations for a predetermined period of 
time . 

2. (Currently amended) The method of claim 1, wherein the creating step comprises: 
identifying one or more groups of network users who are to be provided with 

cryptographic capabilities according to each network user's membership in a particular combination 
of groups within the domain ; 

establishing one or more access codes for each group in the domain , wherein each access 
code is adapted to be combined with other components to form [[a]]the cryptographic key; and 

(iii) creating one or more access permission security profiles for each network user's. 
membership in one or more different combination of groups in the domain , wherein eaeh the access 
permission security profile for each network user contains at least one access code in correspondence 
to the network user's membership in at least one group in the domain . 

3. (Currently Amended) The method of claim [[2]] 1_, wherein each group is a category, 
organization, organizational unit, set of role based credentials, work project, geographical location, 
workgroup e*= within the domain. 

4. (Currently Amended) A method for providing decryption capabilities to a plurality of 
network users over a decentralized public network, the method comprising: 

(a) receiving a request for decryption capabilities on behalf of a network user that gives the 
network user the ability to decrypt one or more encrypted objects associated with a domain 
according to the network user's membership in one or more groups within the domain ; 



PAGE 8/31 * RCVD AT 4H 6/2008 12:45:57 AM [Eastern Daylight Time] * SVR:USPTO-EFXRF-6/20 * DNIS:2738300 * CSID:6508531114 * DURATION <mm-ss):11-06 



From: 6508531114 6503248173 To: USPTO 



Date: 4/15/2008 Time: 9:45:28 PM 



Page 9 of 31 



Applicant : Sweet et al. 

Atty Dkt . : 00 1 3 1 -000 1 00000 

Issued n/a 

Serial No. 09/930,029 

Filed : 08/14/2001 

Page Page 4 of 26 



(b) authenticating the request from the network user according to an n-factor authentication 
suitable to the plurality of network users and verifying membership in the domain and the one or 
more groups ; 

(e) creating an access permission security profile derived from a combination of the user's 
membership in the one or more groups, wherein the combination of the user's membership in the one 
or more groups [to be used in forming] can be used to form a cryptographic key and for enabling 
th e network user to decrypt [[an]] selected portions of the one or more encrypted objects^ 

(d) receiving from tho usor information associated with the selected portions of an encrypted 

object; 

(e) generating a cryptographic working key using the cryptographic key from the access 
permission security profile and the received information associated with the selected portions of the 
encrypted object; and 

(f) securely transmitting the cryptographic working k ey to the network user over the network 
allowing the network: user to decrypt other than the selected portions of the encrypted object . 

5. (Currently Amended) The method of claim 4, wherein the creating step includes: 
identifying one or more groups of network users who are to be provided with 
cryptographic capabilities according to each network user's membership in a particular combination 
of groups within the domain ; 

(ii) establishing one or more access codes for each group in the domain, wherein each access 
code is adapted to be combined with other components to form [[a]] the cryptographic key; and 

-(m) creating one or more access permission security profiles for each network user's 
membership in one or more different combination of groups in the domain , wherein eaeh the access 
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permission security profile for each network user contains at least one access code in correspondence 
to the network user's membership in at least one group in the domain . 

6. (Currently Amended) The method of claim [[5]]4_, wherein each group is a category, 
organization, organizational unit, set of role based credentials, work project, geographical location, 
workgroup ef= within the domain 

7. (Currently Amended) A method for cryptographically securing the distribution of 
information over a decentralized public network to a plurality of network users, the method 
comprising: 

(d) creating a computer representable data object including one or more embedded objects; 
(b) associating a pseudorandom cryptographic key s e l e cting with each of the one or more 

embedded objects of the data object to be encrypted; 

(e) encrypting the selected each of the embedded objects using a working key derived from 
the respective pseudorandom cryptographic key associated with the embedded object and other 
components ; 

(d) creating a set of one or more access permission credentials that identify the roles each of 
the plurality of network users may possess in a domain and their membership in one or more groups 
as defined by various combinations of the one or more access permission credentials ; 

(e) assigning an access permission a member credential to each of the selected embedded 
objects, wherein the member access permission credential is a specific combination of the one or 
more access permission credentials ensuring ensur e s that only authorized network users having a 
matching member credential are able to decrypt encrypted embedded objects of the data object; 
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inserting the pseudorandom cryptographic key in the header of each embedded object after 
first encrypting the pseudorandom cryptographic key with a credential key derived from the member 
credential associated with each embedded object; 

transmitting the data object over the network having the encrypted pseudorandom key 
inserted in a portion of the embedded object; and 

(Q securely transmitting an access permission security profile, having an ephemeral 
crytpographic characterstic, to authorizing at least one network user from the plurality of network 
users wherein the access permission security profile for the at least one network user can be used to 
generate a credential key capable of decrypting the encrypted pseudorandom cryptographic key 
associated with the encrypted object because the member credential of the network user matches the 
member credentials associated with the encrypted object, wherein the ephemeral cryptographic 
characteristic allows the network user in receipt of the access permission security profile to perform 
cryptogrpahic operations for a predetermined period of time. 

(g) transmitting th e data obj e ct ov e r th e network. 

8. (Original) The method of claim 7, wherein the information is digital content. 

9. (Currently Amended) The method of claim 7, wherein securely transmitting fee- 
authorizing atop further includes: 

(i) receiving a request for an access permission security profile on behalf of a network user; 

and 

(ii) authenticating the request from the network user using an n-factor authentication suitable 
to authenticate the plurality of network users, ^aftd- 
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(iii) soouroly transmitting tho security profile to tho network user ovor tho network. 

10. (Currently Amended) The method of claim 7, wherein securely transmitting the- 
authorizing stop further includes: 

(t) sending a request for an access permission security profile on behalf of a network user to 

a centralized server system over the network; 

(ii) receiving the reques t on behalf of the network user at the central server system; and 
(ii*)-authenticating the request as from the network user using an n-factor authentication 

suitable to authenticate the plurality of network users.T -ftftd- 

(iv) socuroly transmitting tho access permission soourity profile from tho server systom to tho 
network usor ovor tho network. 

1 1. (Currently Amended) The method of claim 7, wherein the step of securely transmitting 
an access permission security profile is not performed i f authorizing step is automatic and based 
upon the user already has usef^ possession of an access permission security profile. 

1 2. (Currently Amended) The method of claim 7, wherein the working key encrypting step 
may further be derived from at least a domain component a maintenance component and, the 
pseudorandom cryptographic key, comprises: 

(i) identifying a group of network users who are to be allowed access to a data object to bo 
encrypted; 

(ii) gcnorating an appropriate cryptographic credential key from a sot of credential 
categories, aaid credential koy relating to tho group of network users; 
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(iii) generating a oryptographio working koy from at least a domain component, a 
maintenance component, and a psoudorandom oomponont; 

(iv) encrypting the data object with the working koy; 

(v) e ncrypting the pseudorandom compon e nt with the credential k e y; and 

(vi) associating th e encrypt e d pseudorandom compon e nt to the e ncrypt e d data obj e ct. 

13. (Currently Amended) The method of claim 10 , wherein the access permission security 
profile is created by: 

(i) identifying one or more groups of network users who are to be provided with 
cryptographic capabilities; 

(ii) establishing one or more access codes for each group, wherein each access code is 
adapted to be combined with other components to form a cryptographic key; and 

(iii) creating one or more access permission security profiles for each network user's 
membership in one or more different combination of groups in the domain , wherein e ach the access 
permission security profile for each network user contains at least one access code in correspondence 
to the network user's membership in at least one group in the domain 

14. (Currently Amended) The method of claim 13, wherein each group is a category, 
organization, organizational unit, set of role based credentials, work project, geographical location, 
workgroup within the domain. 

15. (Original) The method of claim 1, 4 or 9, wherein the request is initiated in-band by the 
network user over the network. 
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16. (Original) The method of claim 1 ? 4, 9, 10, or 1 l s wherein the access permission 
security profile is in the form of a token that is adaptable to expire. 

17. (Original) The method of claim 1,4,9, or 10, wherein the authenticating step includes 
the use of biometric identification. 

18. (Original) The method of claim 1, 4, 9, or 10, wherein the authenticating step includes 
the use of a hardware token. 

19. (Original) The method of claim 1, 4, 9, or 10, wherein the authenticating step includes 
the use of a software token. 

20. (Original) The method of claim 1,4,9, or 10, wherein the authenticating step includes 
the use of a user password. 

21. (Original) The method of claim 1 ? 4, 9, or 10, wherein the authenticating step includes 
the use of a record of time at which the request was made. 

22. (Original) The method of claim 1, 4, 9, or 10, wherein the authenticating step includes 
the use of a record of the user's physical location. 



23. (Cancelled) 
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24. (Cancelled) 

25. (Cancelled) 

26. (Cancelled) 

27. (Cancelled) 

28. (Cancelled) 

29. (Cancelled) 

30. (Cancelled) 

31. (Cancelled) 

32. (Cancelled) 

33. (Cancelled) 

34. (Cancelled) 
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35. (Cancelled; 

36. (Cancelled; 

37. (Cancelled; 

38. (Cancelled; 

39. (Cancelled; 

40. (Cancelled; 

41. (Cancelled; 

42. (Cancelled; 

43. (Cancelled; 

44. (Cancelled; 

45. (Cancelled; 

46. (Cancelled; 
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47. (Cancelled). 

48. (Cancelled) 

49. (Cancelled) 

50. (Cancelled) 

51. (Cancelled) 

52. (Previously Amended) A centralized security management system for distributing 
cryptographic capabilities to a plurality of network users over a decentralized public network, the 
system comprising: 

(a) a plurality of member tokens for providing cryptographic capabilities to authenticated 
users of the decentralized public network; 

(b) a set of server systems for managing the distribution of the member tokens; 

(c) means for requesting a member token from at least one server system; 

(d) a set of client systems, wherein each client system includes 

(i) means for receiving the requested member token, and 

(ii) means for utilizing the cryptographic capabilities provided by said member token 
for selective encryption and decryption; and . 
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(e) means for securely distributing a requested member token from at least one server system 
to at least one client system over the decentralized public network. 

53. (Original) The system of claim 52, wherein each client system further includes user 
authentication means. 

54. (Original) The system of claim 52, wherein the means for requesting a member token 
resides on each client system. 

55. (Original) The system of claim 52, wherein means for authenticating a user resides on at 
least one server system. 

56. (Original) The system of claim 52, wherein managing the distribution of the member 
tokens includes dynamic updating of the member tokens. 

57. (Previously Amended) The method or system of claim 1, 4, 7 or 52, wherein the 
decentralized public network is the Internet. 

58. (Previously Amended) The method or system of claim 1 ? 4, 7 or 52, wherein the 
decentralized public network is a cellular phone network. 

59. (New) The method of claim 1 wherein the access permission security profile received by 
the network user remains encrypted on a persistent memory device until decryption of one or more 
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portions of the access permission security profile is deemed necessary to effectuate performing one 
or more cryptogrpahic operations on one or more objects. 

60. (New) The method of claim 59 wherein the access permission security profile may be 
decrypted when the network user in receipt of the access permission security profile successfully 
performs an n-factor authentication operation. 

61. (New) The method of claim 1 wherein the network user in receipt of the access 
permission secuirty profile can no longer perform cryptographic operations on one or more objects 
when the predetermined period of time associated with the ephemeral cryptographic characteristic 
has expired. 

62. (New) The method of claim 1 wherein the network user in receipt of the access 
permission secuirty profile can not perform cryptographic operations on one or more objects when 
one, or more groups associated with the encrypted object do not match the network user's 
membership in one or more groups within the domain. 

63. (New) The method of claim 1 wherein decrypting selected portions of the encrypted 
object with the access permission security profile produces a secondary cryptographic key to be used 
in further decrypting other than the selected portions of the encrypted object. 

64. (New) The method of claim 1 wherein encrypting selected portions of the plaintext 
object includes encrypting a randomly generated value with respect to the one or more groups 
associated with plaintext object to be encrypted. 

65. (New) The method of claim 2 wherein the network user's membership in one or more 
different combination of groups corresponds to the network user's member credentials 
selected from a set of access permission credentials associated with the domain. 
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66. (New) The method of claim 65 wherein encrypting selected portions of the plaintext 
object includes 

encrypting the plaintext object using a randomly generated value; 

generating a pseudorandom value by encrypting the randomly generated value in 
combination with one or more different credentials selected from the set of access permission 
credentials associated with the domain; and 

embedding the pseudorandom value in the selected portions of the encrypted 
plaintext object. 

67. (New) The method of claim 65 wherein encrypting selected portions of the plaintext 
object includes 

encrypting the plaintext object using a randomly generated value; 

generating a pseudorandom value by encrypting the randomly generated value in 
combination with one or more different credentials selected from the set of access permission 
credentials associated with the domain; and 

embedding the pseudorandom value in the selected portions of the encrypted 
plaintext object. 
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